Case on solving the problem of being unable to access a specific address after passing authentication on a certain location\'s portal.

Null

The device model is WX3520H with a version of Release 5432P01. Two ACs form an IRF stacked environment with centralized forwarding. The main fault symptom is that after adding portal authentication, the terminal cannot ping a certain internal network server IPv4 address after passing the portal authentication. It can't ping this address but can ping other internal and external network addresses. Meanwhile, when testing with the same business VLAN address started on the AC, it can ping this address. After deleting the portal authentication test, the terminal can ping the address normally when connecting to the wireless.

1)      We first analyze the problem from the perspective of portal authentication principle. At the site, portal free-rule has been configured to allow access to this address. Normally, even if the terminal has not been authenticated, it can still access this address. However, the test results at the site show that the address cannot be accessed regardless of whether the terminal has been authenticated.

2)      At the same time, the portal authentication was deleted, and only normal PSK encryption was used for testing, and the terminal could ping the address normally after being associated with the wireless network. Based on the above two tests, it can be preliminarily judged that the problem is caused by the portal authentication.

3)      After on-site inspections, the possibility of middle equipment failure is ruled out.

4)      Packet capture is performed from the AC outlet during the problem period. During the process of the terminal pinging the address, the packet capture information shows that there is only an ICMP request packet, no reply packet, and there are also redirection packets, such as packet number 39754 and 39755, which are redirection packets. After opening the redirection packet, we can see that the traffic of the terminal pinging this address is redirected to the URL configured in the portal web-server.

5)      Why is there a redirection? And why can't the terminal ping this specific internal server address but other addresses are not affected? Even other addresses on the same network segment as the internal server can be pinged without any issue.

6)      Let's return to the core issue, why is there a redirection? Looking back at the configuration, we found that the on-site equipment is configured with "portal redirect-rule destination host 10.xx.xx.xx", which is exactly the IP address of the internal server. This command is used to configure a destination-based Portal forced redirection rule. Regardless of whether the portal authentication exists or not, and regardless of whether the free-rule is configured or not, it will force the redirection.

Delete the special command, you can use the following command:

undo portal redirect-rule destination host 10.xx.xx.xx